Tag Archives: Cellebrite

Cybersecurity News for the Week Ending April 30, 2021

Signal Tells Cellebrite to Back Off

Signal is the encrypted message app created by white hat hacker Moxie Marlinspike and his team. Cellebrite is the Israeli company that cracks cells phones for law enforcement. Cellebrite claims to be able to crack Signals messages (it is not clear if they are breaking the crypto or have figured out a way to get Signal to decrypt messages for it). Moxie says that Cellebrite’s software development practices are so bad that he can totally corrupt – subtly – any data that they collect. He proposes a truce which he knows they won’t accept. In the mean time he is planting timebombs in his software so that if Cellebrite looks at his data, well, sorry Celebrite. Credit: Hackread

 

Third Party Risk. Third Party Risk. Third Party Risk.

I can’t say it enough. We hire these vendors and then they get breached. And we get sued. This time it is the California DMV. They use a vendor to verify people’s addresses. Not exactly sure why, but it might make sense to outsource it. The vendor is American Funds Transfer Services (AFTS). AFTS got hit by ransomware and they had 20 month’s worth of data (why?). They said they shut down the network real quick after they figured out they were attacked AND they hired a whole new company to build them a bright, shiny, new, (?more secure?) network. THESE FOLKS JUST LOST THEIR CONTRACT WITH THE DMV AS A RESULT OF THE ATTACK – consider that! Credit: Freightwaves

Feds Delay Real-ID Requirement Again

After terrorists flew planes into the Twin Towers on 9/11 the feds decided that the real problem was that our drivers’ licenses were not secure enough, allowing terrorists to get fake IDs. That was the genesis of the RealID Act in 2005. It requires states to get better identification of people before issuing licenses, including people who already have one, but more importantly to the feds, it gives them access to all 50 states drivers’ license databases. A few states have resisted and the feds have come back and said well, then, you won’t be able to board airplanes or enter federal buildings. That was 2005. Until this week, the deadline to prevent terrorists from getting drivers’ licenses was October 2021. Think about that. If it really was anything other than a big data grab, would waiting 20 years to fix the so-called problem be acceptable? Now, due to Covid, they moved the deadline back to May 2023. While all states finally succumbed to federal pressure, less than half of the drivers’ licenses in circulation have been updated to meet the requirement. Credit: CNN

 

Feds Tell Businesses to Tighten Security in Wake of Russian Attacks

In light of SolarWinds and other attacks, the feds are telling businesses to review any connections between their business networks (IT) and their control networks (OT). OT networks are the networks that control the electrical grid, water, sewer and gas. But they are also used in manufacturing, refining and normal businesses. The feds say, correctly, every connection between your IT network and OT networks increase the attack surface. Credit: Cyberscoop

Babuk Ransomware Group Says Encryption Unnecessary for Extortion

Babuk, one of the big ransomware groups that even had an affiliate program, has figured out where the money is. Encrypting your data has not encouraged enough people to pay the ransom. On the other hand, stealing your data and threatening to publish or sell it is generating good revenue, so they are shifting their business model. No longer are they encrypting your data; they are just stealing it. Of course, this is just one ransomware gang. Credit: Bleeping Computer

Is the Apple Losing its Shine?

Last week there were multiple reports that Petah Tekvah, Israel based Cellebrite could unlock any iPhone up to and including the iPhone X running the most current version of the Apple OS, but you had to send the phone to them along with a check for $1,500, per phone.

This week there is a report that Grayshift, an American startup, is reporting that it too can unlock your iPhone for the cops.

Wait, I just got a phone call.  My grandmother says that she can unlock any iPhone and she will do it for free.  Just kidding about that one, but two different companies, one week apart are saying they can hack any iPhone.  This seems really strange.

Grayshift was apparently founded by some U.S. intelligence community contractors and a former Apple security engineer.

They are privately circulating a data sheet that says that if you buy their software you can unlock 300 phones for $15,000 or an unlimited number of phones for $30,000.  The cheap version (a relative term) must be used online (so, I assume, that you cannot cheat them);  the expensive version can be used offline since it doesn’t need to keep track of how many phones you have unlocked.

The software itself is called GrayKey.

Apparently, right now, GrayKey will only unlock phones running iOS 10 and 11 – which is likely the majority of iPhones, but a version that will unlock iOS 9 is coming soon.

One guess is that these firms have figured out how to hack into Apple’s Secure Enclave, the heart of the security of the iPhone.  *IF* that is true, that is a real problem.  Of course Apple could figure out what both of these firms are doing and make them start over.  In the case of GrayKey, since the system is delivered to a paying customer, if Apple engineers can, somehow, get access to the system they can probably figure out what the software exploits.

It is also speculated that the attack might be a brute force attack, meaning that it starts with “A” and goes to “B” and then “C” and so on until it unlocks the phone.  Again, *IF* this is true, the longer the password is, the harder it is to use this technique.  For example, if the password is 8 characters and only uses letters and numbers, then there are ONLY 218,340,105,584,896 or 218 trillion possible guesses.  On the other hand, a 12 character password raises that number to 3,226,266,762,397,899,821,056 or 3 sextillion possibilities.  Passwords longer than 12 characters would require even more guesses.

The moral of this story is that long passwords, even with just upper and lower case letters plus numbers and no special characters will take a long time to crack.  One article said that a 12 character password would take 200 years to crack at a billion guesses per second.  If it does take that long, even if they do succeed, you won’t care.  Using that same billion guesses a second, an 8 character password would only take 60 hours.

I think this story is not over;  stay tuned for updates.

Information for this post came from Forbes.

The Feds (and Others) Can Probably Unlock Any iPhone Ever Made

Here’s something you don’t hear every day.

Cellebrite, a cell phone hacking vendor based in Petah Tikvah, Israel, claims that they can unlock any iPhone ever made, including the iPhone X running iOS 11.2.6 .

Cellebrite, who offers their services to the highest bidder – mostly law enforcement and governments, both ones that have a better track record with privacy and those that have a horrible privacy record such as Russia – has  made a business out of offering forensics services pretty much to anyone who’s check will clear.  That is probably being a bit unfair, but they were hacked themselves last year and from the data that was released, the statement above does not appear to be too far off.

In any case, typically the newer phones are harder to hack.  You may remember that the FBI paid someone over a million dollars to hack into the iPhone of the San Bernadino shooter after the FBI did not reach out to Apple in a timely manner and get directions on how to unlock it.  In the case of iPhones, usually waiting is your enemy because after a phone is locked for too long, extra security features kick in making it harder to unlock.

Apple adds new security features with every release, so it is especially embarrassing to Apple that their newest flagship phone – one that costs over a thousand dollars at retail – running its newest operating system can, apparently,  be popped open like a can of Coke or Pepsi.

This hacking process is typically a cat and mouse game – the hackers figure out how to break in and Apple fixes it after they find out and the process starts over.

In this case,  in order to maintain their revenue stream for as long as possible, Cellebrite has added a twist to the unlock process.

Normally the unlock features are added to their software which police departments and repressive governments license for an annual fee.  This time the agency has to send the phone to Cellebrite which will charge them a fee of around $1,500 per phone to unlock and they will return the phone unlocked.

Lets say that governments and others send them just 1,000 phones – the NY DA alone said that he had 400 phones that he would like unlocked, so that number is stupid low – then that would generate an extra million and a half dollars to their revenue for the year.

The other thing that it does is protect the bug that they found from being identified and fixed by Apple.  There are likely businesses who are friendly to Apple and who have licensed Cellebrite’s software.  If unlock feature was added to the software then Apple would connect a test phone with extra debug features to the Cellebrite software and likely figure out exactly what Cellebrite is exploiting so that they can plug the hole.

So this method – forcing the cops to write a check and send them the phone both provides a major revenue boost and preserves the bug for a longer time.

All that not withstanding, I am sure that Apple is scratching their collective heads trying to figure out what Cellebrite is doing.

And, just to be clear, this is not a theoretical issue.  Homeland Security has already written a check to get at least one iPhone X unlocked.

If you are a terrorist or someone who would prefer that the feds or other repressive governments can’t see what is on your phone, do not count on Apple to be able to provide that to you, at least for now.

Information for this post came from Forbes.

 

Cellphone Hacker Becomes Hackee

The Israeli company Cellebrite, known for building hardware and software to extract data from most cell phones, was itself hacked.

Earlier this week a hacker gave Motherboard 900 gigabytes of data from Cellebrite.  We do not know if this is all they have or merely the beginning of a long trickle.

Motherboard says that there was a lot of technical data, customer information, customer trouble tickets, device images.

At this point, it is not clear what the hacker plans to do with the data.

The trouble tickets give some indications of countries that they sell to such as Turkey, United Arab Emirates and Russia.

While Cellebrite says that they only sell to governments (police and military), some of those governments have a questionable civil rights record.

Cellebrite, in defending themselves, said the hack was illegal.  Some people say that while the software that they make and sell may be technically legal (they say they are not responsible for how their software is used), it is used in ways that may not be morally supportable.  Of course, that is a very subjective conversation.

Besides saying that the hack was illegal, they said that the data was from an old, web facing customer portal.

What we do not know is how much other data was taken and whether there will be “interesting” information in the device images that were stolen.

Certainly Cellebrite is not unique in selling hacking software to questionable countries, nor are they the first – or last – “hackers” to be hacked themselves.

If, in fact, the data taken was from an old server used by customers who had not moved to a new server, it points out that those migrations should be managed so that old servers don’t stick around any longer than needed.  Servers that are not powered on are hard to hack.

Information for this post came from Ars Technica.

Hand Over Your Phone If You Are In An Accident!

In the “what could go wrong with this” department, New York lawmakers are considering a piece of legislation that would require drivers who are involved in an accident to submit their phone to roadside testing to determine if they were using their device prior to crashing the vehicle.  License, registration, proof of insurance and phone, please.

Refusing to turn over your phone would cause an immediate suspension of your license or cross-state permission to drive in New York.

While this bill has not been passed – or signed into law – the mind boggles as to how this could be abused and misused.

Here is the concept:  the cop would take your phone and plug it into a forensic analyzer like the ones that the police already use when they seize a phone at a crime scene.  Companies like Cellebrite, the Israeli/Japanese company that was originally thought to have unlocked the San Bernadino shooter’s phone, are already working on software to do this.

To attempt to get around the Fourth – and Fifth – Amendment issues, the software that Cellebrite is developing, supposedly, would not capture conversations, contacts, phone numbers and other stuff that, in theory, would require a warrant.  I *definitely* believe that.

This bill follows some intense lobbying from a group called Distracted Operators Risk Casualties (DORC).  Like MADD, the son of the group’s co-founder was killed by a supposedly distracted driver.

Assuming this bill makes it into law, I am sure it will be the source of many court cases, possibly up to and including those 8 folks in black robes in Washington.

If the phone is locked or encrypted, I gather, you will be required to unlock and thereby decrypt the data for the cops.

What the FBI could not get Apple to do, maybe the NYPD can get the owner to do.  Note that, it appears, it does not matter if you are at cause.

While Cellebrite could, possibly, be honest in what data they are extracting, the FBI has already admitted that they have technology to snoop on your phone.  What is to stop a police officer from inserting that technology while “checking” your phone for distracted driving?  Or, in an admittedly even more far fetched case, causing an accident to happen in order to get their hands on your phone to insert that technology.

It is also unclear if the law applies to passenger’s phones.

On the other hand, having a burner phone handy could be a simple way around the problem.

A more subtle way around this is to use virtualization technology like Samsung Knox or Google’s Android for Work, which encrypts the data on the phone in a separate partition.  As long as that partition is not active at the time, my guess is that the Cellebrite tech would not be able to read it – short of any bugs in the software that make it vulnerable.

One more other thing to consider.  There is already a way to get this data which is a lot less invasive and that is to ask the driver’s cell phone carrier for usage data.  This requires a warrant, which requires more work, but also protects people’s privacy.  Curiously, this is exactly what they did in the case of DORC’s co-founder’s son’s accident – and they did find that the phone was in use near the time of the accident.

 

Information for this post came from Ars Technica.